Privacy Policy

AriyoEvents(“we”, “us”, “our”) is a Nigerian event-hosting platform owned and operated by D3F Solutions, a Nigerian company. We connect hosts who run events with the guests who attend, the vendors who service them, and the gate scanners who admit them.

We're the data controllerfor the personal data we collect about you, in the sense given by the Nigeria Data Protection Act, 2023 (the “NDPA”). When you host an event, you become the controller for any data your guests give specifically to you (e.g. dietary requirements you collect via a custom registration field) — and we act as your processor in that narrower scope.

Questions, complaints, or requests about your data should go to our Data Protection Officer at privacy@ariyoevents.com. For everything else (bug reports, business enquiries) email support@ariyoevents.com.

We only collect what we actually need. The categories are:

• Account info — full name, email address, phone number, password (stored as a bcrypt hash, never readable), optional profile photo, optional social handles.
• Sign-in identities— if you choose “Continue with Google / Facebook / Apple”, we receive a stable user ID from that provider plus your email and display name. We do not receive your password, contacts, friends list, or anything else outside the basic profile.
• Event activity — events you create or register for, ticket types you bought, registration history, scan / check-in records, seating assignments.
• Community content — posts, photos, replies, and reactions you publish in any event community you joined.
• Vendor activity — if you list vendor services, we store your portfolio, services, prices, quotes you send, and reviews you receive.
• Payment metadata — amount, reference, status, and method of every payment. We never see or store your card number, CVV, PIN, or bank password — those go directly to our processor (9 Payment Service Bank, a CBN-licensed Nigerian bank).
• Coarse location— only if you tap “Near me” on Discover. We use the city name (resolved client-side from your phone's location) once and never persist your raw GPS coordinates on our servers.
• Device + technical info — IP address (truncated for logs), browser / user-agent, app version, OS (Android / iOS / Web). Used for security, fraud prevention, and crash logs.
• Notification tokens— if you allow notifications, the opaque device token your phone gives us so we can deliver alerts (e.g. “your registration is confirmed”).
• Camera (scan-only, on-device)— when you tap a Scan button (gate check-in, scanning a QR pass), we briefly access your phone's camera to read the QR code. The video stream is processed entirely on your device — frames never leave your phone, are never uploaded to our servers, and are never stored. The only thing we receive is the decoded QR text (a short reference likeAE-RG-12345) once you successfully scan. You can revoke camera access any time via your phone's system settings; the rest of the app keeps working.

We do not collect: precise GPS coordinates (we never store them), contacts, calendar entries, photo library content outside what you explicitly upload, microphone, biometric data (see below).

On phones that support it, you can enable Face ID, Touch ID, or Android fingerprint to unlock the AriyoEvents app. The biometric check happens entirely on your device— your face/finger template is stored in the secure enclave of your phone and is never transmitted to us, our servers, or any third party. We simply receive a yes/no signal from your operating system. You can turn this off any time in the app's Settings.

Under the NDPA we have to tell you the lawful basis for each category of processing. Here's ours:

• Performance of contract — running your account, issuing passes, scanning tickets, settling host payouts. Without this we cannot deliver the service you signed up for.
• Consent— opting in to push / email notifications, tapping “Near me” for location, enabling biometric unlock. You can withdraw consent at any time from system Settings or the app.
• Legitimate interests — fraud detection, abuse prevention, basic product analytics (counts, never per-user tracking). We have weighed this against your privacy rights and judged it minimal-impact.
• Legal obligation — keeping payment records for the period required by Nigerian financial-records regulation.

We share data only with the third parties needed to run the service. We do not sell, rent, or trade your data, and we never run advertising on it.

• 9 Payment Service Bank (9PSB)— to process card and bank-transfer payments for paid tickets. They receive payer name, email, phone, amount, and a reference. They're bound by their own privacy policy and CBN regulation.
• The host of an event you register for — they see your name, email, phone, ticket type, and check-in status so they can run their event. They become an independent controller of that copy of your data and are themselves bound by the NDPA.
• Sign-in providers— when you click “Continue with Google / Facebook / Apple”, the provider knows you signed in to AriyoEvents. We never push data back to them.
• BigDataCloud— when you tap “Near me”, your phone sends raw GPS coordinates to BigDataCloud's free public reverse-geocode endpoint. The lookup happens client-side, in your browser/app, not via our servers. We receive only the resolved city name.
• Resend(transactional email provider, optional) — when we send you a welcome email, pass-ready confirmation, or payment receipt, the message body and your email address transit Resend. They're GDPR-aligned and don't use the data for advertising.
• Hosting infrastructure — Vercel (web hosting), Cloudflare (DNS, future image storage), our cPanel-managed PHP backend (data + APIs hosted in the EU). All transit uses HTTPS / TLS 1.2+.
• Law enforcement — only when we receive a valid Nigerian court order, subpoena, or other legally enforceable demand. We push back on overbroad requests.

Your account database lives on cPanel servers in the European Union (Frankfurt). The web app is delivered via Vercel's global edge network. Static media (avatars, event banners, community photos) currently sits on the cPanel disk and may move to Cloudflare R2 in a future release.

Any cross-border data transfer outside Nigeria is covered by standard contractual clauses or the recipient's NDPC- recognised adequacy where applicable. Backups are kept for 30 days then permanently deleted.

• Account data — for as long as your account is active, plus 12 months after deletion request, to help resolve disputes, chargebacks, and refunds.
• Payment records — 7 years (Nigerian financial-records regulation).
• Community posts and photos — until you delete them, or 12 months after the host event ends, whichever comes first.
• Coarse-location lookups — never persisted on our servers; only your detected city is cached in your local app storage.
• Crash logs and IP audit trails — 90 days.

As a data subject you have the following rights. Exercising them is free and we respond within 30 days.

• Access — see everything we hold about you. Profile + History pages cover most of it; for a full machine-readable dump, email privacy@ariyoevents.com.
• Rectification — correct inaccurate data. The Profile screen lets you edit name, email, phone, headshot, and social handles directly.
• Erasure — delete your account. Email privacy@ariyoevents.com with the subject “Delete my account”. We wipe your account within 7 days. Anonymised registration counts are kept for the host's historical records.
• Restriction — ask us to stop processing while a dispute is resolved.
• Objection — to legitimate-interest processing. We honour this unless we have an overriding legal reason and tell you what it is.
• Portability — receive your data in a structured, machine-readable format (we use JSON).
• Withdraw consent — for anything you opted into, at any time, without affecting the lawfulness of processing before withdrawal.
• Disable notifications— at any time via your phone's system Settings, or by opting out in the in-app notification preferences.
• Complain to the regulator — you can lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng. We'd appreciate the chance to fix things first, but that right exists either way.

Our web app uses local storage (not browser cookies) to keep you signed in across visits. The native iOS / Android app uses the equivalent secure storage on your device. We don't use third-party tracking cookies, advertising pixels, or cross-site tracking. The handful of items we store are:

• Session token — keeps you signed in. Cleared when you log out.
• UI preferences— your last-detected “Near me” city, biometric-unlock toggle, dismissed onboarding hints.
• Notification dismissals— so an alert you closed doesn't reappear next visit.

AriyoEvents is intended for users 16 years and older. We don't knowingly collect data from anyone younger. If you're a parent or guardian and believe your child has registered without permission, email privacy@ariyoevents.com and we'll delete the account within 7 days.

We use industry-standard safeguards:

• Passwords are hashed with bcrypt (slow, salted).
• Session tokens are stored as SHA-256 hashes — even if our database leaked, tokens couldn't be replayed.
• All API traffic uses HTTPS with TLS 1.2 or higher.
• Payment notifications carry a SHA-512 signature plus basic-auth and an IP whitelist.
• Apple Sign-In tokens are verified against Apple's public keys; Google ID tokens are verified server-side via Google's tokeninfo; Facebook tokens are validated with our app secret.

No system is perfect. If you spot a security issue, please email privacy@ariyoevents.com with the subject “Security report”. We respond within 48 hours and won't take legal action against researchers who give us a reasonable chance to fix things before going public.

When we change this policy, we update the “Last updated” date at the top. For substantive changes (new data categories, new sharing partners), we notify you via the in-app inbox at least 14 days before the change takes effect — so you have time to delete your account if you disagree.

Data Protection Officer: privacy@ariyoevents.com

General support: support@ariyoevents.com

Postal address:D3F Solutions, Lagos, Nigeria (we'll provide the full street address on request — we don't list it publicly to avoid junk mail).